This article will discuss the DirectAccess troubleshooting and collection of logs. This is the recommended way to collect logs and send it to your corporate administrators.

For DirectAccess setup and configuration, please check here.

Introduction

Microsoft DirectAccess is an awesome technology that connect you seamlessly to your corporate network. This occurs without installing any client or configuring any setting from the end user. Sometimes Direct Access doesn’t get connected or stay in the “connecting” state for a long time. When you try to contact your Direct Access Administrator the first thing required will be collecting the DirectAccess logs and sending it to your administrator.

So if everything is configured correctly and you have an email client configured on your computer (whether its outlook or default Windows Mail). When you navigate to your modern Windows 10 Settings – Network & Internet – DirectAccess, you will find a button named “Collect”. When you hit collect it will open your configured mail client and attach the DirectAccess logs to this mail. You can enter your “TO” address, for instance you administrator or Help Desk team. It may be populated with this address if your administrator configured it from the server.

Super easy and very efficient and all you need from your user is to click on Collect. Next you will get his logs and analyze it, figure the problem and that’s it.

So what is the catch ? Well its not working as designed ! this was noticed on several machines starting Windows 10 1703. when the users will hit “Collect” nothing happens although they have everything configured correctly (Mail client and server side settings).

So upon checking this issue with Microsoft Support team it was concluded that this is a kind of a bug. It started with Windows 10 1703 (earlier versions like Windows 10 1607 works fine). However it occurs only on Machines with memory more than 3.8 GB (Most of our new hardware Laptops and machines). It will work fine if you have 3.8 GB memory or Less

Reason of Problem:

The reason behind this bug is that starting with the creators update (Windows 10 1703) a new feature is introduced. The feature is the split feature that allowed something like SVCHOST to run independent process for each service. So the one in question here is the Networking connectivity Assist “NCASVC” that runs under the NetSVC SVCHOST.

So the “NCASVC” will split into its own SVCHOST and log collection fails. In addition the log collection process is series of powershell commands that runs on the machine to collect logs. This will fail to launch due to missing the privilege “SeAssignPrimaryTokenPrivilege” on this splitted new process.

Workaround/Solution

So we have two workarounds/solutions provided by Microsoft which is either to stop/disable this split process or grant the needed privilege. In order to fix this issue you need to do just one of the below solutions:

1.  Disable the Split mentioned above by creating DWORD registry parameter “SvcHostSplitDisable” and set it to 1 under  “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcaSvc” – Need to restart your client machine
2. Add the “SeAssignPrimaryTokenPrivilege” to “RequiredPrivileges”  in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcaSvc – Need to restart your client machine

So that’s all you need to do on your client machine (Windows 10 1703 and above with more than 3.8 GB Memory). Test it on one machine and then you can distribute this Registry fix on all your DirectAccess machines You can use SCCM, Intune or any software distribution tool.

Hopefully this will help some of you facing this issue.